Evgeny Neyolov - Dev system hacking — arch bugs in SAP SDM
1. Invest in security
to secure investments
Arch bugs in SAP Software Deployment Manager
Evgeny Neyolov feat. Dmitry Chastuhin
ERP Security Analyst
2. SAP NetWeaver Development Infrastructure
•
•
•
•
•
Design Time Repository (DTR)
Component Build Service (CBS)
Change Management Service (CMS)
Software Landscape Directory (SLD) / NS
Software Deployment Manager (SDM)
erpscan.com
ERPScan — invest in security to secure investments
2
3. SAP NetWeaver Development Infrastructure
erpscan.com
ERPScan — invest in security to secure investments
3
4. SAP NetWeaver Development Infrastructure
erpscan.com
ERPScan — invest in security to secure investments
4
5. SAP NetWeaver Development Infrastructure
erpscan.com
ERPScan — invest in security to secure investments
5
6. SAP NetWeaver Development Infrastructure
erpscan.com
ERPScan — invest in security to secure investments
6
7. SAP NetWeaver Development Infrastructure
erpscan.com
ERPScan — invest in security to secure investments
7
8. SAP NetWeaver Development Infrastructure
erpscan.com
ERPScan — invest in security to secure investments
8
9. Software Deployment Manager
•
•
•
•
•
Single interface for the deployment
Deploy apps (*.ear, *.war, *.sda)
Implement custom patches
only one user at time
only hardcoded admin user
erpscan.com
ERPScan — invest in security to secure investments
9
10. SDM + UME = Love
• User Management Engine
• affects almost all SAP-Java-stuff
erpscan.com
ERPScan — invest in security to secure investments
10
11. SDM Attack Intro
•
•
•
•
•
thick client Java application (sad story)
SAP has own SAP Java Virtual Machine (JVM)
Java 6 has Attach API
attaching to another JVM at runtime
intercept and modify calls
erpscan.com
ERPScan — invest in security to secure investments
11
It is very important that almost everything in SAP what works with Java depends on User Management Engine.if user who was authenticated by UME was granted with set of privileges in Enterprise Portal, he will have an opportunity to use the same login and password for any other service, for instance, NetWeaver Administrator, and of course SDM.
So, since that SAP supports Java too and has their own Java application server that includes SAP’s own Java Virtual Machine.Java 6 contains the Attach API feature that allows seamless, inter-process modification of a running JVM. The Attach API is an extension that provides a way for a Java process to “attach” to another JVM at runtime and install various “hooks” throughout class methods on that system.
As I have said before, there is User Management Engine, and it supposed to be that all Java services use the same base of users.SAP uses local secure storage, but this storage is just file. The picture on the top of this slide shows content of “secure storage”. And it is secure only when you don’t know the key. But key is in the same folder.Some time ago we have presented a tool, which automatically decrypts all this stuff.
Service Knowledge Management provides a central point of entry to unstructured information from various data sources in the portal. This unstructured information can exist in different formats such as text documents, presentations, or HTML files. For example, it can be an HTML file with JavaScript that steals cookies of all users.Another funny trick is searching for passwords in this database or other key words.